The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you upgrade a Windows NT 4.0 primary domain controller to Windows 2000

Content provided by Microsoft

After you upgrade a Microsoft Windows NT 4.0 Primary domain controller or member server to Microsoft Window 2000, the Domain Name System (DNS) suffix of the computer name of the new domain controller may not match the name of its domain. When this problem occurs, you may also experience a variety of other symptoms.

Typically, this problem occurs when the following conditions are true:

You install the original release version of Windows 2000 on a Microsoft Windows NT 4.0 domain controller.

A DNS suffix is defined in the Network control panel item of the domain controller.

To resolve this problem, upgrade the domain controller to Windows 2000 with the latest service pack or to Windows Server 2003. Alternatively, you may use one of the other methods that this article describes.

Symptoms

After you upgrade a Windows NT 4.0 Primary domain controller or member server to Windows 2000, the DNS suffix of the computer name of the new domain controller may not match the name of its domain.

Additionally, you may experience one or more of the following symptoms:

Active Directory replication does not succeed.

The File Replication service (FRS) stops responding.

When you try to join a computer that is running Microsoft Windows XP Professional to the domain, you receive an error message that is similar to the following:

A domain controller for the domain DomainName.local could not be contacted.

If you click Details in the message window, you see text that is similar to the following:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain DomainName.local. The query was for the SRV record for _ldap._tcp.dc._msdcs.DomainName.LOCAL

You cannot log on to the domain.

When you try to install Active Directory on another member server, you receive an error message that is similar to one of the following messages:

Message 1

The specified domain either does not exist or cannot be contacted

Message 2

A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format

Message 3

The Directory Service failed to create the server object for CN=NTDS Settings,CN=CLIENT01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=com on server DC01. Please ensure the network credentials provided have sufficient access to add a replica.

Message 4

The operation failed because: failed finding a suitable domain controller for the domain contoso.com. The specified domain either does not exist or could not be contacted."

You receive the following errors when you try to use any Active Directory MMC snap-in:

Message 1

Naming information cannot be located because: The logon attempt failed

Message 2

Naming information could not be located because the object name has bad syntax

The following events are logged in the System log of a client, member server, or domain controller:

The following events are logged in the Application log of a client, member server, or domain controller:

You receive the following error message when you install the Recipient Update Service (RUS) in Microsoft Exchange Server:

Only one instance of the Recipient Update Service can update a Domain Controller and all Domain Controllers on contoso.com are being updated. ID No: c1039c6c."

In Microsoft Exchange 2000, the Microsoft Exchange System Attendant service does not start, and the following event is logged in the Application log:

You receive the following error message when you try to use the SetSpn command-line tool:

Requested name "contoso\DC01$" not found in directory."

Pre-Boot Execution Environment (PXE) clients do not authenticate, even when you use valid domain administrator credentials. When this problem occurs, the Logon Error page in the Client Installation Wizard shows the following information:

00004e28.OSC error - The System cannot validate your User Name Password or Domain

The system cannot validate your user name, password, or domain name. Verify that your user name and domain name are correct, and then retype your password. Passwords must be typed using the correct case. Be sure the CAPS LOCK key is not pressed.

When you set up a Mobile Information Server (MIS) server, you receive the following error message after you enter the password for the message processor:Additionally, the following event is logged in the Application log:

When you run the Active Directory Migration Tool (ADMT), the following error is logged in the Migration.log file:

2002-01-23 15:00:34 ERR2:7422 Failed to move object CN=Jsmith, hr=8009030d The credentials supplied to the package were not recognized

The Domain Controller Diagnostic Tool (Dcdiag.exe) reports the following errors:

Starting test: MachineAccount Could not open pipe with [DC01]:failed with 1231: The network location cannot be reached. For information about network troubleshooting, see Windows Help. Could not get NetBIOSDomainName Failed can not test for HOST SPN

When you use the Small Business Personal Console or Active Directory Users and Computers to create users, and then you mailbox-enable the user, the following problems occur:

E-mail properties are not generated.

SMTP addresses are not generated.

The user does not appear in the global address list (GAL).

The following event is logged in the directory service event log:

When you install Windows Services for Unix 2.0, you receive the following error message:

error 26065 NIS Schema Upgrade Failed

Note After Active Directory has been installed on a member server, you cannot rename the computer on the Network Identification tab of Computer Management properties.

Cause

These problems may occur when the following conditions are true:

You install the original release version of Microsoft Windows 2000 on a Microsoft Windows NT 4.0 domain controller.

A DNS suffix is defined in the Network control panel item of the domain controller.

When you install Windows 2000, the Windows 2000 Setup program automatically unchecks the Change primary DNS suffix when domain membership changes check box. Setup also sets the primary DNS suffix to the first suffix that is listed in the Network control panel item. After Active Directory is installed on a member server, the new domain controller tries to resolve the DNS records in the DNS zone that matches its primary DNS suffix.

This problem does not occur if one or more of the following conditions are true:

The Windows NT 4.0 domain controller does not have a DNS suffix defined before the upgrade.

You upgrade the Windows NT 4.0 domain controller to Windows 2000 with Service Pack 1 (SP1) or a later service pack.

If DNS is correctly configured, Windows 2000 and Windows Server 2003 both support a disjoint namespace as a valid configuration. However, this configuration is frequently unintentional.

Resolution

To resolve this problem, upgrade the domain controller to Windows 2000 with the latest service pack or to Windows Server 2003. For more information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

Method 2

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Verify whether there is a disjoint namespace, and then fix the namespace. To do this, follow these steps:

Right-click My Computer, and then click Properties.

In the Properties dialog box, click the Computer Name tab.

If the DNS suffix of the computer name does not match the domain name, there is a disjoint namespace. The following three examples illustrate disjoint namespaces:

Full computer name: dc01.fabrikam.comDomain: contoso.com

Full computer name: dc01.corp.contoso.comDomain: contoso.com

Full computer name: dc01Domain: contoso.com

Alternatively, you can use the Netdiag.exe command-line tool to verify whether there is a disjoint namespace. If the DNS suffix in the DNS host name does not match the DNS domain name in Netdiag, there is a disjoint namespace. The following three examples illustrate disjoint namespaces:

DNS Host Name: dc01.fabrikam.comDNS Domain Name: contoso.com

DNS Host Name: dc01.corp.contoso.comDNS Domain Name: contoso.com

DNS Host Name: dc01DNS Domain Name: contoso.com

Type "ipconfig /all" at a command prompt and examine the DNS suffix to the right of "Connection-specific DNS Suffix."

If the DNS Suffix defined is different or invalid from the Domain: entry seen in the Computer Name tab of Step 2, follow these steps:

Click the DNS tab and modify the suffix in the field to the right of "DNS suffix for this connection in DNS" to match the DNS Suffix of the Domain: entry seen in the Computer Name tab of Step 2. Or, uncheck the box to the left of "Use this connection's DNS suffix in DNS registration."

If the DNS name has a single label, and your computer is running Windows 2000 Service Pack 4 (SP4), Windows XP, or Windows Server 2003, use the AllowSingleLabelDnsDomain registry entry to resolve the problem. For example, if the domain name is "contoso" and is not "contoso.com," the DNS name has a single label. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Log on to the domain controller by using an account that has domain administrator credentials.

Paste the following code into Notepad. Then, save the file as Fixdomainsuffix.vbs.

Const ADS_PROPERTY_CLEAR = 1

Answer = MsgBox("This script will change the Domain Suffix of this computer" & vbCrLf &_ "to equal the AD Domain name that this DC is a member of." & vbCrLf &_ "This script can only be run on a Windows 2000 DC by an" & vbCrLf &_ "Administrator of the Domain. You must reboot this computer" & vbCrLf &_ "after the script completes." & vbCrLf &_ vbCrLf &_ "Choose ""OK"" to continue ""Cancel"" to stop processing the script", vbOKCancel, _ "Change DNS Suffix to match AD Domain")

Answer = MsgBox("The computer needs to be rebooted for the changes to take effect. Would you like the DC to be rebooted now?", _ vbYesNo, "Reboot now?")If Answer = vbYes Then Set OpSysSet = GetObject("winmgmts:{(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where Primary=true") For Each OpSys In OpSysSet OpSys.Reboot() NextEnd If

Note This script automatically modifies the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

The following table lists the entries in this subkey.

Name

Type

Value

Hostname

REG_SZ

computer name

NV Hostname

REG_SZ

computer name

NV Domain

REG_SZ

domain name

Double-click the file that you saved in step 2.

Restart the domain controller.

More Information

To use a disjoint namespace, the DNS servers that are used by domain controllers, member servers, and clients must be able to resolve records in the following DNS zones:

DNS zones that are the same as the fully qualified domain that the computer account resides in